Researchers at CyberMDX discovered multiple security vulnerabilities present in GE CARESCAPE Patient Monitors, ApexPro, and Clinical Information Center (CIC) systems.
The vulnerabilities were first reported on September 18, 2019. In the ensuing months, CyberMDX, GE, and CISA collaborated to confirm the vulnerabilities, audit their technical details, evaluate the associated risk, and work through the responsible disclosure process.
The vulnerabilities could potentially allow an attacker to make modifications at the software level of the device, with possible ramifications including rendering the device unusable, interfering with device functionality, certain changes to alarm settings, and exposure of PHI.
CyberMDX Head of Research, Elad Luz, commented, “Our goal is to bring these issues to the attention of healthcare providers so that they can be quickly addressed — contributing to safer, more secure hospitals. As such, every disclosure is another step in the right direction. The speed, responsiveness, and seriousness with which GE treated this matter is very encouraging. At the same time, there remains work to be done and we are eager to see GE issue security patches for these vital devices.”